SCCM-Migrating form HTTP to HTTPS

SCCM-Migrating form HTTP to HTTPS

Hi All,

have you ever needed to migrate a SCCM 2012 (or Current Branch) environment from HTTP to HTTPS? if you have, you know that it is quite easy, but there are some challenges, when things go wrong, off course :)…

The steps I normally take (and I hope I haven’t forgotten any :)) are:
1- Create the certificate Template (ConfigMgr Clients (if the workstation is not already in place), ConfigMgr IIS Servers and ConfigMgr DP Servers)
2- Request the certificates
3- on the IIS servers, change the bind to allow HTTPS port (default 443) and select the certificate
4- Export the Root CA (and any other CA) certificate and import it into SCCM. Note, do not force the SCCM to use PKI, instead, allow it to use HTTP or HTTPS..
5- for each client, confirm that the Client Certificate is set to PKI (you can easily check the HKLM\Software\Microsoft\CCM\HttpsState and HKLM\Software\Microsoft\CCM\PKICertReady). or you can check the Report Clients incapable of HTTPS communication
6- Confirm that you can navigate to HTTPS://
7- From the server, confirm that you can navigate to the CRL for the certificate selected
8- From the client, confirm that you can navigate to the CRL for the certificate
9- on the console, add the column “Client Certificate” and confirm that it is set to PKI” for all clients (this may take couple of days/week to be completed)
10- once all machines are ready to use HTTPS, migrate the MP and check the logs: MPSetup, MPMSI & MPControl
11- on the client side, check the ccmmessaging log

now it is time to start migrate and test all other roles and once all roles have been migrated successfully

For DP:
– Import the new DP Certificate and set it to use HTTPS

For Application Catalog:
– Set the IIS Bindings to use a IIS Certificate
– You can easily change the app catalog website from HTTP to HTTPS, however, you cannot do it for the app catalog webservice. in this case, you’ll need to uninstall and install it again.

For SUP:
– Set the IIS Binding to use a IIS Certificate
– run the WSUSUtil.exe configuressl (check ServerCertificateName and PortNumber under HKLM\Software\Microsoft\Update Services\Server\Setup).
– Change the SUP to use SSL and confirm it is working
– force APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService and SimpleAuthWebService to use SSL only

if everything goes well, migrate the site to HTTS only 🙂

if something goes wrong, you’ll see your mpcontrol saying problem connecting, forbiden, etc…
11- Check this:
12- Check this:
13- check this:
14- check this:

remember, this is only 1 part of the security on the SCCM, you should also have a console security strategy in place (I mean, have a good RBAC settings that only allow people to do what they supposed to do, and nothing else), a security for the server, sql, etc.


Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , , , , , , ,